Action de recherche coopérative INRIA

Java Card : sémantique, optimisations et sécurité

The INRIA research action Java Card has as its aim to coordinate research
carried out at INRIA concerning formal aspects of Java and Java Card, a
Java dialect for programming smart cards. This includes research on the
formal semantics of these languages, program analysis for program optimization
and methods for verifying safety and security related properties.

The Java
Card language (latest version: 2.1) is a subset of Java. Certain data
types such as long integers, floating-point values and characters have
been removed; there are no threads and classes are not loaded dynamically.
The language has been extended with facilities for programming atomic transactions
and for specifying applet isolation and sharing through interfaces (only
in Java Card 2.1). The Java card language is being designed in collaboration
with the Java Card Forum.

Programming smart cards in Java

One of the major interests in the Java language is the possibility of downloading
code and executing it in a transparent manner. This practice raises serious
problems regarding the security of information (confidentiality and integrity
in particular). Java addresses these concerns, and others, through a greater
level of safety features in the language (typing, verification of imported
code, simple inheritance, etc.) and a security manager which enforces security
policies. The language itself is considered safe but this assertion is
still a topic of debate, all the more so since there is no formally specified
official definition of the semantics of the language. The need for a formal
definition clearly arises from the contradictory declarations of type-safeness
and the fact that Java integrates a certain number of complex features,
making the formalization of the language (at the very least some of its
critical aspects) essential. Indeed, there are particular characteristics
of Java which have a direct impact on security and for which the informal
definitions are neither comprehensive nor free of ambiguity.

Recently, Sun published the definition of a version of Java, called
Java Card, intended for programming smart cards. Java Card was designed
by removing a certain number of constructions of Java considered to be
useless or too complex for smart cards (there are no "threads", memory
is not recovered automatically, class loading is more restricted than in
Java etc.) and by adding specific facilities to manage transactions with
a card (atomicity of a group of operations, persistent objects, etc.).
The security policy of Java (known as the "sandbox" model) which prohibits
any interaction between the objects of different applets, was modified
and relaxed. Thus, Java Card makes it possible to share an object between
several applets.

The efficiency aspect did not have priority in the definition of Java.
However, since the resources of a smart card are as limited in terms of
computation as in memory, the performance of code intended to be executed
on a card becomes significant. It is necessary, therefore, to have powerful
analysis and optimization techniques for Java Card.

Research themes

Axiomatization of static and dynamic semantics of Java Card and
proof of the safety of the type system of the language ("subject reduction
theorem") from this axiomatization. The property of safety is a precondition
to any specification of a security policy. It is also planned to specify
the virtual machine, its semantics, and the translation between Java Card
and byte-code of the virtual machine (a subset of the byte-code of the
JVM).

Specification of security policies for Java Card. The security policy
defined for Java Card differs from that for Java by allowing a more or
less restricted sharing of objects between the applets loaded on a card.
The objective is to formalize this security policy in order to be able
to study its effect and the requirements it imposes on the components of
a Java Card application. Starting from this formalization it is proposed
to study how to prove the conformance of a program with the security policies.

Optimization of Java Card applications. This concerns adapting and
formalizing traditional methods of optimization to Java Card programs as
well as developing new techniques. The goal is to minimize execution time
and memory consumption, while showing that optimizations do not threaten
the security policies. Transparencies
of R. Guider on the analysis of the form of object structure.